Mailing List Archive

[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW
http://bugzilla.mindrot.org/show_bug.cgi?id=633

Summary: Password authentication fails in HP-UX trusted mode due
to DISABLE_SHADOW
Product: Portable OpenSSH
Version: -current
Platform: HPPA
OS/Version: HP-UX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: michael_steffens@hp.com


Hello,

with current CVS portable OpenSSH non-PAM password authentication fails
with the system running in trusted mode. This does get an issue, because
apparently current code does not use PAM for plain old passord authentication.

The reason for failure is that password hashes are not being looked up using
getspnam, but rather from /etc/passwd even in trusted mode, because
DISABLE_SHADOW is being defined by configure for all versions of HP-UX.

Michael



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From dtucker@zip.com.au 2003-09-05 15:32 -------
Created an attachment (id=383)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=383&action=view)
Always check for iscomsec() on HP-UX

Does this patch fix the trusted mode issue?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |627
nThis| |
Status|NEW |ASSIGNED
Keywords| |patch





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From michael_steffens@hp.com 2003-09-05 17:40 -------
Attachment #383 doesn't fix it, unless

if (spw = getprpwnam(pw->pw_name) != NULL)

is replaced by

if ((spw = getprpwnam(pw->pw_name)) != NULL)

or the "!= NULL" comparison is omitted.

However, you might consider delegating pw hash retrieval to getspnam,
as this library function will transparently select the correct source
also when /etc/shadow shadowing (which has become available as addon
product for 11i) is in use.

getspnam is available on all versions since at least 10.20.

You may then drop all HP-UX specific stuff from function shadow_pw.
Function xcrypt will need to pick the correct hashing method (crypt
vs. bigcrypt) based on the result of iscomsec(), just the way it
does now. No change required on that part.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #383 is|0 |1
obsolete| |



------- Additional Comments From dtucker@zip.com.au 2003-09-05 19:49 -------
Created an attachment (id=385)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=385&action=view)
Remove DISABLE_SHADOW for HP-UX 11.x, fix brackets.

Not as tidy as I'd like, but does this fix it? Note: You will need to run
"autoreconf" to rebuild configure, then re-run configure.

Also: I just noticed that xcrypt.c has variable declarations after code within
a block, which I think some compilers will choke on.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From michael_steffens@hp.com 2003-09-06 00:22 -------
Created an attachment (id=386)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=386&action=view)
Move protected pw hash retrieval to getspnam

HP-UX trusted mode (as well as shadow mode on 11i, if installed and active)
can be served by the very same code as Linux and Solaris are, at the top of
function shadow_pw.

Attached patch illustrates what I mean. It consists of removed lines only :)

I tested it on 10.20, 11.00, and 11.11.

The latter one with ShadowPassword installed and activated, and the same sshd
binary as used on the 11.00 trusted system. It worked.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From dtucker@zip.com.au 2003-09-06 00:41 -------
I understood what you were getting at, but am wary of breaking things I can't
test. Will patch #386 break any currently-working configurations?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From michael_steffens@hp.com 2003-09-06 01:17 -------
Hmm, how to guarantee this? But I would say, unless other platforms
get accidentally recognized as HP-UX by configure, or define the __hpux
macro, no platform but HP-UX can be affected by this change.

On HP-UX 10.20, 11.00, and 11.11 I have tested it with both trusted
and non-trusted mode, plus ShadowPassword on 11.11.

The possibility remains that OS patch levels might affect it, but it's
virtually impossible to test all possible configuration there...

Furthermore, using getspnam for this purpose is in line with its
specification, see getspent(3C).

Without ShadowPassword installed it states

getspent() is only supported on trusted systems.

The secured password facility is implemented without the use of the
/etc/shadow file. getspent(), getspnam(), setspent(), and endspent()
read from the trusted system's protected password database
(/tcb/files/auth/*/*) and not /etc/shadow. The file /etc/shadow is
not used in any way by the HP-UX login facility.

These routines return a null pointer and sets ERRNO to ENOENT if the
system has not been converted to trusted system. In all other cases,
the return value is set similarly to getprpwent(). See getprpwent(3)
for more information.

Programs using these routines must be compiled with -lsec.

On 11.11 with ShadowPassword installed it says

If libsec patch PHCO_27038 or later is not installed, then getspent(),
getspnam(), setspent() and endspent() are supported only on trusted
systems; getspnam_r() and fgetspent() are not supported. The secured
password information is obtained from the Protected Password Database
(/tcb/files/auth/*/*).

If libsec patch PHCO_27038 or later is installed, then all of these
functions are supported on standard systems, shadowed standard systems
and trusted systems. The one exception to this is that getspnam_r()
is not supported on trusted systems. On a standard system the secured
password information is obtained from /etc/passwd. If the system has
been converted to a trusted system, then the secured password
information is obtained from the Protected Password Database
(/tcb/files/auth/*/*). If the system has been converted to use shadow
passwords, then the secured password information is obtained from
/etc/shadow. See shadow(4).

The patch referred to, PHCO_27038, however is part of the ShadowPassword
software bundle, thus can be assumed to be present.

Isn't this exactly the behaviour we want?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 633] Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=633





------- Additional Comments From dtucker@zip.com.au 2003-09-06 12:00 -------
Anything that defines __hpux that isn't HP-UX deserves whatever it gets.

This code was originally put there for a reason, I'm wondering if the reason is
still valid now.

My guess is that it was to support older trusted-mode boxes (does 10.10 do
trusted mode?) or unpatched machines where getspnam doesn't work. Have asked
stevesk.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.